1629979 – (CVE-2018-16745) CVE-2018-16745 mgetty: Stack-based buffer overflow in fax_notify_mail() in faxrec.c

Bug 1629979 (CVE-2018-16745) - CVE-2018-16745 mgetty: Stack-based buffer overflow in fax_notify_mail() in faxrec.c

Summary: CVE-2018-16745 mgetty: Stack-based buffer overflow in fax_notify_mail() in fa...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-16745
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1629980 1631243
Blocks:	1629987
TreeView+	depends on / blocked

Reported:	2018-09-17 17:43 UTC by Pedro Sampaio
Modified:	2021-10-25 22:17 UTC (History)
CC List:	8 users (show)
Fixed In Version:	mgetty 1.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 22:17:50 UTC
Embargoed:

Attachments	(Terms of Use)
upstream patch (501 bytes, patch) 2018-09-20 09:40 UTC, Riccardo Schirone	no flags	Details \| Diff
View All

Description Pedro Sampaio 2018-09-17 17:43:51 UTC

An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow a buffer overflow if long untrusted input can reach it.

References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Comment 1 Pedro Sampaio 2018-09-17 17:44:30 UTC

Created mgetty tracking bugs for this issue:

Affects: fedora-all [bug 1629980]

Comment 3 Riccardo Schirone 2018-09-20 09:37:54 UTC

Mitigation:

Make sure the `notify` option in /etc/mgetty+sendfax/mgetty.config does not contain more than 150 characters and that the file is readable and writable only by root.

Comment 4 Riccardo Schirone 2018-09-20 09:38:53 UTC

Only root can write to /etc/mgetty+sendfax/mgetty.config and set the `notify` option which `mail_to` is set to when the program runs. Thus, this flaw is very unlikely to be exploited since it would require root to set a very long `notify` value.

Comment 5 Riccardo Schirone 2018-09-20 09:40:13 UTC

Created attachment 1485086 [details]
upstream patch

This patch was extracted from mgetty-1.2.1.
It is the same patch as the one for CVE-2018-16744.

Comment 8 Fedora Update System 2019-02-27 01:15:31 UTC

mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-02-27 03:28:21 UTC

mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.